ssl-test 1.0.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e444097317630bf487a1e1c4c55baa00de963656
-  data.tar.gz: e82c53db8ae5371c3b6a77b5d7ac7b04064c09a4
+SHA256:
+  metadata.gz: 3192c4c66dc0345089108a47311eacba0e6b22ee1794896a9006bc2ff0fc7fce
+  data.tar.gz: 4306f6cc249d078ab07700ae5e42eac40d8387c6daefb41a1e43a43e169e6f29
 SHA512:
-  metadata.gz: da985b40c54ed631ddcc262b376b478660e2a294d66e42d910cfeb1663dc75bfd4ec491c572f2d04646738741607ad788eedf65872d084ef32a46dcb8c1c6b62
-  data.tar.gz: 40831c9f53c00a65f3f76866f8b4cf967faf3b1a289441094187dacdd948398733fa1665671c34e04e802b4d4e28dcc420a08b1840770827ce4307279e2cdc05
+  metadata.gz: 3ba176fda3fda4cf82f89c24a335fdb2e0ccdb7a735a228b2aae452afe7ebbc5b56cb6232d03a306315d9f14174a5f3ad8a383480b7180cee2ff7815e8471dfe
+  data.tar.gz: 7e7cf7ad82a36a541de9b65ad3bc30d4bf65577538249e6bf3980494d1829511c026b711571571c7b7ada5d60b70b4101776e3574734bb9fb4497db4e2fdb199

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+
+rvm:
+  - 2.4.3
+  - 2.5.0

data/README.md

@@ -1,6 +1,6 @@
-# SSLTest
+# SSLTest [![Build Status](https://travis-ci.com/jarthod/ssl-test.svg?branch=master)](https://travis-ci.com/jarthod/ssl-test)
 
-A small ruby gem to help you test a website's SSL certificate.
+A small ruby gem (with no dependencies) to help you test a website's SSL certificate.
 
 ```ruby
 gem 'ssl-test'
@@ -47,9 +47,82 @@ cert # => nil
 ```
 Default timeout values are 5 seconds each (open and read)
 
+Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint by default:
+```ruby
+valid, error, cert = SSLTest.test "https://revoked.badssl.com"
+valid # => false
+error # => "SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)"
+cert # => #<OpenSSL::X509::Certificate...>
+```
+
+If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
+
+If both OCSP and CRL tests are impossible, the certificate will still be considered valid but with an error message:
+```ruby
+valid, error, cert = SSLTest.test "https://sitewithnoOCSPorCRL.com"
+valid # => true
+error # => "Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: Missing crlDistributionPoints extension"
+cert # => #<OpenSSL::X509::Certificate...>
+```
+
 ## How it works
 
-SSLTester simply performs a HEAD request using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
+SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
+
+After that it queries the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint to verify if the certificate has been revoked. If OCSP is not available it'll fetch the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
+
+### Caching
+
+OCSP and CRL responses are cached in memory, which makes subsequent testing faster and more robust (avoids network error and throttling) but be careful about memory usage if you try to validate millions of certificates in a row.
+
+About the caching duration:
+- OCSP responses are cached until their "next_update" indicated inside the repsonse
+- OCSP errors are cached for 5 minutes
+- CRL responses are cached for 1 hour
+
+CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change.
+
+You can check the size of the cache with `SSLTest.cache_size`, which returns:
+
+```ruby
+{
+  crl: {
+    lists: 5,
+    bytes: 5123456
+  },
+  ocsp: {
+    responses: 350,
+    errors: 2,
+    bytes: 45876
+  }
+}
+```
+
+You can also flush the cache using `SSLTest.flush_cache` if you want (not recommended)
+
+### Logging
+
+You can enable logging by setting `SSLTest.logger`, for example:
+
+```ruby
+SSLTest.logger = Rails.logger
+```
+
+SSLTest will log various messages depending on the log level you specify, example:
+
+```
+ INFO -- : SSLTest https://www.anonymisation.gov.pf started
+DEBUG -- : SSLTest + test_chain_revocation: www.anonymisation.gov.pf
+DEBUG -- : SSLTest   + OCSP: fetch URI http://servicesca.ocsp.certigna.fr
+DEBUG -- : SSLTest   + OCSP: 200 OK (4661 bytes)
+DEBUG -- : SSLTest   + OCSP: ocsp_ok
+DEBUG -- : SSLTest + test_chain_revocation: Certigna Services CA
+DEBUG -- : SSLTest   + OCSP: [false, "Missing OCSP URI in authorityInfoAccess extension", nil]
+DEBUG -- : SSLTest   + CRL: fetch URI http://crl.certigna.fr/certigna.crl
+DEBUG -- : SSLTest   + CRL: 200 OK (1152 bytes)
+DEBUG -- : SSLTest   + CRL: crl_ok
+ INFO -- : SSLTest https://www.anonymisation.gov.pf finished: revoked=false
+```
 
 ### What kind of errors will SSLTest detect
 
@@ -58,19 +131,22 @@ Pretty much the same errors `curl` will:
 - Incomplete certificate chain (missing intermediary)
 - Self signed certificates
 - Valid certs used with incorect hostname
+- Untrusted root (if your system is up-to-date)
+- And more...
 
-### GOTCHA: errors SSLTest will NOT detect
-
-There is a spefic kind or error this code will **NOT** detect: *revoked certificates*. This is much more complex to handle because it needs an up to date database of revoked certs to check with. This is implemented in most modern browsers but the results vary greatly (chrome ignores this for example).
+But also **revoked certs** like most browsers (not handled by `curl`)
 
-Here is an example of website with a revoked certificate: https://revoked.grc.com/
+## Changelog
 
-Any contribution to add this feature is greatly appreciated :)
+* 1.4.0 - 2021-01-16: Implemented CRL as fallback to OCSP + expose cache metrics + add logger support
+* 1.3.1 - 2020-04-25: Improved caching of failed OCSP responses (#5)
+* 1.3.0 - 2020-04-25: Added revoked cert detection using OCSP (#3)
 
 ## Contributing
 
 1. Fork it ( https://github.com/[my-github-username]/ssl-test/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+3. Make sure the tests are passing (`rspec`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create a new Pull Request

data/Rakefile

@@ -1,13 +1,11 @@
 require "bundler/gem_tasks"
-require "rake/testtask"
+require "rspec/core/rake_task"
 
-Rake::TestTask.new do |t|
-  t.pattern = "test/*_test.rb"
-end
+RSpec::Core::RakeTask.new(:spec)
 
 desc "Open an irb session preloaded with ssl-test"
 task :console do
   sh "irb -rubygems -I lib -r ssl_test.rb"
 end
 
-task default: :test
+task default: :spec

data/lib/ssl-test.rb

@@ -1,34 +1,133 @@
+require "net/http"
 require "net/https"
+require "openssl"
+require "uri"
+require "ssl-test/object_size"
+require "ssl-test/ocsp"
+require "ssl-test/crl"
 
 module SSLTest
-  VERSION = "1.0.0"
-
-  def self.test url, open_timeout: 5, read_timeout: 5
-    uri = URI.parse(url)
-    return if uri.scheme != 'https'
-    cert = failed_cert_reason = nil
-
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.open_timeout = open_timeout
-    http.read_timeout = read_timeout
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    http.verify_callback = -> (verify_ok, store_context) {
-      cert = store_context.current_cert
-      failed_cert_reason =  [store_context.error, store_context.error_string] if !verify_ok
-      verify_ok
-    }
-
-    req = Net::HTTP::Head.new('/')
-    begin
-      res = http.start { http.request(req) }
-      return [true, nil, cert]
-    rescue OpenSSL::SSL::SSLError => e
-      error = e.message
-      error = "error code %d: %s" % failed_cert_reason if failed_cert_reason
-      return [false, error, cert]
-    rescue => e
-      return [nil, "SSL certificate test failed: #{e.message}"]
+  extend OCSP
+  extend CRL
+
+  VERSION = -"1.4.0"
+
+  class << self
+    def test url, open_timeout: 5, read_timeout: 5, redirection_limit: 5
+      uri = URI.parse(url)
+      return if uri.scheme != 'https'
+      cert = failed_cert_reason = chain = nil
+
+      @logger&.info { "SSLTest #{url} started" }
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.open_timeout = open_timeout
+      http.read_timeout = read_timeout
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http.verify_callback = -> (verify_ok, store_context) {
+        cert = store_context.current_cert
+        chain = store_context.chain
+        failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
+        verify_ok
+      }
+
+      begin
+        http.start { }
+        revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit)
+        @logger&.info { "SSLTest #{url} finished: revoked=#{revoked} #{message}" }
+        return [false, "SSL certificate revoked: #{message} (revocation date: #{revocation_date})", cert] if revoked
+        return [true, "Revocation test couldn't be performed: #{message}", cert] if message
+        return [true, nil, cert]
+      rescue OpenSSL::SSL::SSLError => e
+        error = e.message
+        error = "error code %d: %s" % failed_cert_reason if failed_cert_reason
+        if error =~ /certificate verify failed/
+          domains = cert_domains(cert)
+          if matching_domains(domains, uri.host).none?
+            error = "hostname \"#{uri.host}\" does not match the server certificate (#{domains.join(', ')})"
+          end
+        end
+        @logger&.info { "SSLTest #{url} finished: #{error}" }
+        return [false, error, cert]
+      rescue => e
+        @logger&.error { "SSLTest #{url} failed: #{e.message}" }
+        return [nil, "SSL certificate test failed: #{e.message}", cert]
+      end
+    end
+
+    def cache_size
+      {
+        crl: {
+          lists: @crl_response_cache&.size || 0,
+          bytes: ObjectSize.size(@crl_response_cache)
+        },
+        ocsp: {
+          responses: @ocsp_response_cache&.size || 0,
+          errors: @ocsp_request_error_cache&.size || 0,
+          bytes: ObjectSize.size(@ocsp_response_cache) + ObjectSize.size(@ocsp_request_error_cache)
+        }
+      }
+    end
+
+    def flush_cache
+      @crl_response_cache = {}
+      @ocsp_response_cache = {}
+      @ocsp_request_error_cache = {}
+    end
+
+    def logger= logger
+      @logger = logger
+    end
+
+    private
+
+    # https://docs.ruby-lang.org/en/2.2.0/OpenSSL/OCSP.html
+    # https://stackoverflow.com/questions/16244084/how-to-programmatically-check-if-a-certificate-has-been-revoked#answer-16257470
+    # Returns an array with [certificate_revoked?, error_reason, revocation_date]
+    def test_chain_revocation chain, **options
+      # Test each certificates in the chain except the last one (root cert),
+      # which can only be revoked by removing it from the OS.
+      chain[0..-2].each_with_index do |cert, i|
+        @logger&.debug { "SSLTest + test_chain_revocation: #{cert_field_to_hash(cert.subject)['CN']}" }
+
+        # Try with OCSP first
+        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
+        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
+        next if ocsp_result == :ocsp_ok # passed, go to next cert
+        return ocsp_result if ocsp_result[0] == true # revoked
+
+        # Otherwise it means there was an error so let's try with CRL instead
+        crl_result = test_crl_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
+        @logger&.debug { "SSLTest   + CRL: #{crl_result}" }
+        next if crl_result == :crl_ok # passed, go to next cert
+        return crl_result if crl_result[0] == true # revoked
+
+        # If both method failed, return a soft fail with a combination of both error messages
+        return [false, "OCSP: #{ocsp_result[1]}, CRL: #{crl_result[1]}", nil]
+      end
+
+      # If all test passed, the certificate is not revoked
+      [false, nil, nil]
+    end
+
+    def cert_field_to_hash field
+      field.to_a.each.with_object({}) do |v, h|
+        v = v.to_a
+        h[v[0]] = v[1].encode('UTF-8', undef: :replace, invalid: :replace)
+      end
+    end
+
+    def cert_domains cert
+      (Array(cert_field_to_hash(cert.subject)['CN']) +
+        cert_field_to_hash(cert.extensions)['subjectAltName'].split(/\s*,\s*/))
+        .compact
+        .map {|s| s.gsub(/^DNS:/, '') }
+        .uniq
+    end
+
+    def matching_domains domains, hostname
+      domains.map {|s| Regexp.new("\A#{Regexp.escape(s).gsub('\*', '[^.]+')}\z") }
+        .select {|domain| domain.match?(hostname) }
     end
   end
 end

data/lib/ssl-test/crl.rb

@@ -0,0 +1,102 @@
+module SSLTest
+  module CRL
+    CRL_CACHE_DURATION = 3600 # 1 hour
+
+    # A note about caching:
+    # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
+    # indexed by certificat serial). This is not CPU efficient because it means every time we
+    # need to check a cert from a cached CRL we need to parse it again, instantiate the list
+    # of Revoked certs and then iterate to find it (there's no API to find one cert without
+    # generting the list unfortuantely).
+    # I did this because of memory efficiency, because for big 20MB CRL list (so taking 20MB
+    # in memory cache), the parsed version takes more than 100M, the list of Revoked certs 120MB,
+    # and building a hash with serial, time and reason takes even more.
+    # So doing this would be MUCH faster in terms of CPU for subsequent tests on the same CRL
+    # but would take a LOT of memory.
+    # Also I expect most providers to support OCSP for first level cert (a lot of revokation),
+    # which means we should have to use CRL mostly for intermediaries with much smaller CRL.
+    # That's what Let's Encrypt is doing with their R3 intermediate for example.
+
+    private
+
+    def test_crl_revocation cert, issuer:, chain:, **options
+      crl_distribution_points = cert.extensions.find do |extension|
+        extension.oid == "crlDistributionPoints"
+      end
+
+      return [false, "Missing crlDistributionPoints extension", nil] unless crl_distribution_points
+
+      # OpenSSL 2.2+ may simplify this: https://github.com/ruby/openssl/commit/ea702a106d3d8136c48f244593de95666be0edf9
+      crl = crl_distribution_points.value.split("\n").find do |description|
+        description.match?(/URI:/)
+      end
+
+      return [false, "Missing CRL URI in crlDistributionPoints extension", nil] unless crl
+
+      crl_uri = URI(crl[/URI:(.*)/, 1])
+      http_response, crl_request_error = follow_crl_redirects(crl_uri, **options)
+      return [false, "Request failed (URI: #{crl_uri}): #{crl_request_error}", nil] unless http_response
+
+      response = OpenSSL::X509::CRL.new http_response
+      return [false, "Signature verification failed (URI: #{crl_uri})", nil] unless response.verify(issuer.public_key)
+
+      revoked = response.revoked.find { |r| r.serial == cert.serial }
+      if revoked
+        reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
+        return [true, reason || "Unknown reason", revoked.time]
+      else
+      end
+
+      :crl_ok
+    end
+
+    # Returns an array with [response, error_message]
+    def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
+      return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
+
+      # Return file from cache if not expired
+      @crl_response_cache ||= {}
+      cache_entry = @crl_response_cache[uri]
+      return [cache_entry[:body], nil] if cache_entry && cache_entry.fetch(:expires) > Time.now
+
+      @logger&.debug { "SSLTest   + CRL: fetch URI #{uri}" }
+      path = uri.path == "" ? "/" : uri.path
+      http = Net::HTTP.new(uri.hostname, uri.port)
+      http.open_timeout = open_timeout
+      http.read_timeout = read_timeout
+
+      req = Net::HTTP::Get.new(path)
+      # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
+      if etag = cache_entry&.fetch(:etag)
+        req["If-None-Match"] = etag
+      elsif last_mod = cache_entry&.fetch(:last_mod)
+        req["If-Modified-Since"] = last_mod
+      end
+      http_response = http.request(req)
+      case http_response
+      when Net::HTTPNotModified
+        # No changes, bump cache expiration time and return cached body
+        @logger&.debug { "SSLTest   + CRL: 304 Not Modified" }
+        @crl_response_cache[uri][:expires] = Time.now + CRL_CACHE_DURATION
+        [cache_entry[:body], nil]
+      when Net::HTTPSuccess
+        # Success, update (or add to) cache and return frech body
+        @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
+        @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
+        @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
+        @crl_response_cache[uri] = {
+          body: http_response.body,
+          expires: Time.now + CRL_CACHE_DURATION,
+          etag: http_response["Etag"],
+          last_mod: http_response["Last-Modified"]
+        }
+        [http_response.body, nil]
+      when Net::HTTPRedirection
+        follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
+      else
+        @logger&.debug { "SSLTest   + CRL: Error: #{http_response.class}" }
+        [nil, "Wrong response type (#{http_response.class})"]
+      end
+    end
+  end
+end

data/lib/ssl-test/object_size.rb

@@ -0,0 +1,25 @@
+require 'objspace'
+
+module ObjectSize
+  def self.size(obj)
+    case obj
+    when String
+      obj.bytesize
+    when Integer
+      obj.size
+    when Hash
+      sum = 0
+      obj.each do |key, val|
+        sum += size(key)
+        sum += size(val)
+      end
+      sum
+    when Array
+      obj.reduce(0) do |sum, val|
+        sum + size(val)
+      end
+    else
+      ObjectSpace.memsize_of(obj)
+    end
+  end
+end

data/lib/ssl-test/ocsp.rb

@@ -0,0 +1,142 @@
+module SSLTest
+  module OCSP
+    ERROR_CACHE_DURATION = 5 * 60 # 5 minutes
+
+    private
+
+    def test_ocsp_revocation cert, issuer:, chain:, **options
+      @ocsp_response_cache ||= {}
+      @ocsp_request_error_cache ||= {}
+
+      unicity_key = "#{cert.issuer}/#{cert.serial}"
+
+      current_request_error_cache = @ocsp_request_error_cache[unicity_key]
+      return current_request_error_cache[:error] if current_request_error_cache && Time.now <= current_request_error_cache[:expires]
+
+      if @ocsp_response_cache[unicity_key].nil? || @ocsp_response_cache[unicity_key][:next_update] <= Time.now
+        authority_info_access = cert.extensions.find do |extension|
+          extension.oid == "authorityInfoAccess"
+        end
+
+        return ocsp_soft_fail_return("Missing authorityInfoAccess extension") unless authority_info_access
+
+        # OpenSSL 2.2+ may simplify this: https://github.com/ruby/openssl/commit/ea702a106d3d8136c48f244593de95666be0edf9
+        ocsp = authority_info_access.value.split("\n").find do |description|
+          description.start_with?("OCSP")
+        end
+
+        return ocsp_soft_fail_return("Missing OCSP URI in authorityInfoAccess extension") unless ocsp
+
+        digest = OpenSSL::Digest::SHA1.new
+        certificate_id = OpenSSL::OCSP::CertificateId.new(cert, issuer, digest)
+
+        request = OpenSSL::OCSP::Request.new
+        request.add_certid certificate_id
+        request.add_nonce
+
+        ocsp_uri = URI(ocsp[/URI:(.*)/, 1])
+        http_response, ocsp_request_error = follow_ocsp_redirects(ocsp_uri, request.to_der, **options)
+        return ocsp_soft_fail_return("Request failed (URI: #{ocsp_uri}): #{ocsp_request_error}", unicity_key) unless http_response
+
+        response = OpenSSL::OCSP::Response.new http_response
+        # https://ruby-doc.org/stdlib-2.6.3/libdoc/openssl/rdoc/OpenSSL/OCSP.html#constants-list
+        return ocsp_soft_fail_return("Unsuccessful response (URI: #{ocsp_uri}): #{ocsp_response_status_to_string(response.status)}", unicity_key) unless response.status == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        basic_response = response.basic
+
+        # Check the response signature
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        # https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/OCSP/BasicResponse.html#method-i-verify
+        return ocsp_soft_fail_return("Signature verification failed (URI: #{ocsp_uri})", unicity_key) unless basic_response.verify(chain, store)
+
+        # https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/OCSP/Request.html#method-i-check_nonce
+        return ocsp_soft_fail_return("Nonce check failed (URI: #{ocsp_uri})", unicity_key) unless request.check_nonce(basic_response) != 0
+
+        # https://ruby-doc.org/stdlib-2.3.0/libdoc/openssl/rdoc/OpenSSL/OCSP/BasicResponse.html#method-i-status
+        response_certificate_id, status, reason, revocation_time, _this_update, next_update, _extensions = basic_response.status.first
+
+        return ocsp_soft_fail_return("Serial check failed (URI: #{ocsp_uri})", unicity_key) unless response_certificate_id.serial == certificate_id.serial
+
+        @ocsp_response_cache[unicity_key] = { status: status, reason: reason, revocation_time: revocation_time, next_update: next_update }
+      end
+
+      ocsp_response = @ocsp_response_cache[unicity_key]
+
+      return [true, revocation_reason_to_string(ocsp_response[:reason]), ocsp_response[:revocation_time]] if ocsp_response[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+      :ocsp_ok
+    end
+
+    # Returns an array with [response, error_message]
+    def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
+      return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
+
+      @logger&.debug { "SSLTest   + OCSP: fetch URI #{uri}" }
+      path = uri.path == "" ? "/" : uri.path
+      http = Net::HTTP.new(uri.hostname, uri.port)
+      http.open_timeout = open_timeout
+      http.read_timeout = read_timeout
+
+      http_response = http.post(path, data, "content-type" => "application/ocsp-request")
+      case http_response
+      when Net::HTTPSuccess
+        @logger&.debug { "SSLTest   + OCSP: 200 OK (#{http_response.body.bytesize} bytes)" }
+        [http_response.body, nil]
+      when Net::HTTPRedirection
+        follow_ocsp_redirects(URI(http_response["location"]), data, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
+      else
+        @logger&.debug { "SSLTest   + OCSP: Error: #{http_response.class}" }
+        [nil, "Wrong response type (#{http_response.class})"]
+      end
+    end
+
+    # https://ruby-doc.org/stdlib-2.6.3/libdoc/openssl/rdoc/OpenSSL/OCSP.html#constants-list
+    def ocsp_response_status_to_string(response_status)
+      case response_status
+      when OpenSSL::OCSP::RESPONSE_STATUS_INTERNALERROR
+        "Internal error in issuer"
+      when OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
+        "Illegal confirmation request"
+      when OpenSSL::OCSP::RESPONSE_STATUS_SIGREQUIRED
+        "You must sign the request and resubmit"
+      when OpenSSL::OCSP::RESPONSE_STATUS_TRYLATER
+        "Try again later"
+      when OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
+        "Your request is unauthorized"
+      else
+        "Unknown reason"
+      end
+    end
+
+    def revocation_reason_to_string(revocation_reason)
+      # https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/OCSP.html#constants-list
+      case revocation_reason
+      when OpenSSL::OCSP::REVOKED_STATUS_AFFILIATIONCHANGED
+        "The certificate subject's name or other information changed"
+      when OpenSSL::OCSP::REVOKED_STATUS_CACOMPROMISE
+        "This CA certificate was revoked due to a key compromise"
+      when OpenSSL::OCSP::REVOKED_STATUS_CERTIFICATEHOLD
+        "The certificate is on hold"
+      when OpenSSL::OCSP::REVOKED_STATUS_CESSATIONOFOPERATION
+        "The certificate is no longer needed"
+      when OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE
+        "The certificate was revoked due to a key compromise"
+      when OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS
+        "The certificate was revoked for an unknown reason"
+      when OpenSSL::OCSP::REVOKED_STATUS_REMOVEFROMCRL
+        "The certificate was previously on hold and should now be removed from the CRL"
+      when OpenSSL::OCSP::REVOKED_STATUS_SUPERSEDED
+        "The certificate was superseded by a new certificate"
+      when OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED
+        "The certificate was revoked for an unspecified reason"
+      else
+        "Unknown reason"
+      end
+    end
+
+    def ocsp_soft_fail_return(reason, unicity_key = nil)
+       error = [false, reason, nil]
+       @ocsp_request_error_cache[unicity_key] = { error: error, expires: Time.now + ERROR_CACHE_DURATION } if unicity_key
+       error
+    end
+  end
+end

data/spec/ssl-test_spec.rb

@@ -0,0 +1,226 @@
+require "ssl-test"
+require "benchmark"
+
+# Uncomment for debug logging:
+# require "logger"
+# SSLTest.logger = Logger.new(STDOUT)
+
+describe SSLTest do
+  describe '.test' do
+    it "returns no error on valid SNI website" do
+      valid, error, cert = SSLTest.test("https://www.mycs.com")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns no error on valid SAN" do
+      valid, error, cert = SSLTest.test("https://1000-sans.badssl.com/")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns no error when no CN" do
+      skip "Expired for the moment https://github.com/chromium/badssl.com/issues/447"
+      valid, error, cert = SSLTest.test("https://no-common-name.badssl.com/")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "works with websites blocking http requests" do
+      valid, error, cert = SSLTest.test("https://obyava.ua")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on self signed certificate" do
+      valid, error, cert = SSLTest.test("https://self-signed.badssl.com/")
+      expect(error).to eq ("error code 18: self signed certificate")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on incomplete chain" do
+      valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
+      expect(error).to eq ("error code 20: unable to get local issuer certificate")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on untrusted root" do
+      valid, error, cert = SSLTest.test("https://untrusted-root.badssl.com/")
+      expect(error).to eq ("error code 19: self signed certificate in certificate chain")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on invalid host" do
+      valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
+      expect(error).to include('hostname "wrong.host.badssl.com" does not match the server certificate')
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on expired cert" do
+      valid, error, cert = SSLTest.test("https://expired.badssl.com/")
+      expect(error).to eq ("error code 10: certificate has expired")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns undetermined state on unhandled error" do
+      valid, error, cert = SSLTest.test("https://pijoinlrfgind.com")
+      expect(error).to eq ("SSL certificate test failed: Failed to open TCP connection to pijoinlrfgind.com:443 (getaddrinfo: Name or service not known)")
+      expect(valid).to be_nil
+      expect(cert).to be_nil
+    end
+
+    it "stops on timeouts" do
+      valid, error, cert = SSLTest.test("https://updown.io", open_timeout: 0)
+      expect(error).to eq ("SSL certificate test failed: Net::OpenTimeout")
+      expect(valid).to be_nil
+      expect(cert).to be_nil
+    end
+
+    it "reports revocation exceptions" do
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
+      valid, error, cert = SSLTest.test("https://updown.io")
+      expect(error).to eq ("SSL certificate test failed: test")
+      expect(valid).to be_nil
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on revoked cert (OCSP)" do
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
+      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
+      expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "returns error on revoked cert (CRL)" do
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
+      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
+      expect(error).to eq ("SSL certificate revoked: Unknown reason (revocation date: 2019-10-07 20:30:39 UTC)")
+      expect(valid).to eq(false)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "stops following redirection after the limit for the revoked certs check" do
+      valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Request failed (URI: http://ocsp.digicert.com): Too many redirections (> 0), CRL: Request failed (URI: http://crl3.digicert.com/sha2-ha-server-g6.crl): Too many redirections (> 0)")
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "warns when the OCSP URI is missing" do
+      # Disable CRL fallback to see error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "works with CRL only" do
+      # Disable OCSP
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
+      expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
+      valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "warns when the CRL URI is missing" do
+      # Disable OCSP to see error message
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
+      valid, error, cert = SSLTest.test("https://meta.updown.io")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "works with OCSP for first cert and CRL for intermediate (Let's Encrypt R3 intermediate)" do
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      valid, error, cert = SSLTest.test("https://meta.updown.io/")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+
+    it "works with OCSP for first cert and CRL for intermediate (Certigna Services CA)" do
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      # Similar chain: https://www.demarches-simplifiees.fr
+      valid, error, cert = SSLTest.test("https://www.anonymisation.gov.pf")
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to be_a OpenSSL::X509::Certificate
+    end
+  end
+
+  describe '.cache_size' do
+    before { SSLTest.flush_cache }
+
+    it "returns 0 by default" do
+      expect(SSLTest.cache_size).to eq({
+        crl:  { bytes: 0,  lists: 0 },
+        ocsp: { bytes: 0, errors: 0, responses: 0 }
+      })
+    end
+
+    it "returns CRL cache size properly" do
+      SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.3k
+      SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/ssca-sha2-g6.crl")) # 19M
+      expect(SSLTest.cache_size[:crl][:lists]).to eq(2)
+      expect(SSLTest.cache_size[:crl][:bytes]).to be > 19_000_000
+    end
+
+    it "returns OCSP cache size properly" do
+      SSLTest.test("https://updown.io")
+      expect(SSLTest.cache_size[:ocsp][:responses]).to eq(2)
+      expect(SSLTest.cache_size[:ocsp][:errors]).to eq(0)
+      expect(SSLTest.cache_size[:ocsp][:bytes]).to be > 200
+    end
+  end
+
+  describe '.follow_crl_redirects' do
+    before { SSLTest.flush_cache }
+    # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
+    it "fetch CRL list and updates cache" do
+      uri = URI("http://crl.certigna.fr/certigna.crl")
+      body, error = SSLTest.send(:follow_crl_redirects, uri)
+      expect(body.bytesize).to equal 1152
+      expect(error).to be_nil
+
+      # Check cache status
+      cache = SSLTest.instance_variable_get('@crl_response_cache')
+      expect(cache.size).to equal 1
+      expect(cache.keys).to match_array [uri]
+      expect(cache[uri].keys).to match_array [:body, :expires, :etag, :last_mod]
+      expect(cache[uri][:expires]).to be > (Time.now + 3590)
+
+      # Make sure we return value from cache
+      body2, error2 = nil, nil
+      time = Benchmark.realtime { body2, error2 = SSLTest.send(:follow_crl_redirects, uri) }
+      expect(time).to be < 0.001 # no request
+      expect(body2).to be(body) # using cache
+
+      # Make sure we return cached value in case of 304
+      cache[uri][:expires] = Time.now # cache is now expired
+      body2, error2 = nil, nil
+      time = Benchmark.realtime { body2, error2 = SSLTest.send(:follow_crl_redirects, uri) }
+      expect(time).to be > 0.001 # a request is made
+      expect(body2).to be(body) # but we're still using cache because it's a 304
+    end
+  end
+end

data/ssl-test.gemspec

@@ -6,7 +6,7 @@ require 'ssl-test'
 Gem::Specification.new do |spec|
   spec.name          = "ssl-test"
   spec.version       = SSLTest::VERSION
-  spec.authors       = ["Adrien Jarthon"]
+  spec.authors       = ["Adrien Rey-Jarthon"]
   spec.email         = ["jobs@adrienjarthon.com"]
   spec.summary       = %q{Test website SSL certificate validity}
   spec.homepage      = "https://github.com/jarthod/ssl-test"
@@ -17,6 +17,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.7"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", ">= 1.7"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
 end

metadata

@@ -1,43 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.4.0
 platform: ruby
 authors:
-- Adrien Jarthon
+- Adrien Rey-Jarthon
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-01 00:00:00.000000000 Z
+date: 2021-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - jobs@adrienjarthon.com
@@ -46,13 +60,17 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/ssl-test.rb
+- lib/ssl-test/crl.rb
+- lib/ssl-test/object_size.rb
+- lib/ssl-test/ocsp.rb
+- spec/ssl-test_spec.rb
 - ssl-test.gemspec
-- test/ssl-test_test.rb
 homepage: https://github.com/jarthod/ssl-test
 licenses:
 - MIT
@@ -72,11 +90,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Test website SSL certificate validity
 test_files:
-- test/ssl-test_test.rb
-has_rdoc: 
+- spec/ssl-test_spec.rb

data/test/ssl-test_test.rb

@@ -1,57 +0,0 @@
-require "ssl-test"
-require "minitest/autorun"
-
-describe SSLTest do
-
-  describe '.test' do
-    it "returns no error on valid SNI website" do
-      valid, error, cert = SSLTest.test("https://www.mycs.com")
-      valid.must_equal true
-      error.must_be_nil
-      cert.must_be_instance_of OpenSSL::X509::Certificate
-    end
-
-    it "returns error on self signed certificate" do
-      valid, error, cert = SSLTest.test("https://kernelcoffee.org")
-      valid.must_equal false
-      error.must_equal "error code 18: self signed certificate"
-      cert.must_be_instance_of OpenSSL::X509::Certificate
-    end
-
-    it "returns error on invalid host" do
-      valid, error, cert = SSLTest.test("https://staging.updown.io")
-      valid.must_equal false
-      error.must_equal 'hostname "staging.updown.io" does not match the server certificate'
-      cert.must_be_instance_of OpenSSL::X509::Certificate
-    end
-
-    it "returns error on expired cert" do
-      valid, error, cert = SSLTest.test("https://testssl-expire.disig.sk")
-      valid.must_equal false
-      error.must_equal "error code 10: certificate has expired"
-      cert.must_be_instance_of OpenSSL::X509::Certificate
-    end
-
-    it "returns undetermined state on unhandled error" do
-      valid, error, cert = SSLTest.test("https://pijoinlrfgind.com")
-      valid.must_be_nil
-      error.must_equal "SSL certificate test failed: getaddrinfo: Name or service not known"
-      cert.must_be_nil
-    end
-
-    it "stops on timeouts" do
-      valid, error, cert = SSLTest.test("https://approachio.com", open_timeout: 1)
-      valid.must_be_nil
-      error.must_equal "SSL certificate test failed: execution expired"
-      cert.must_be_nil
-    end
-
-    # Not implemented yet
-    # it "returns error on revoked cert" do
-    #   valid, error, cert = SSLTest.test("https://revoked.grc.com")
-    #   valid.must_equal false
-    #   error.must_equal "error code XX: certificate has been revoked"
-    #   cert.must_be_instance_of OpenSSL::X509::Certificate
-    # end
-  end
-end